Installing SSL Certificate in Apache Jakarta Tomcat

What is SSL Certificate:

SSL Certificates are small data files that digitally bind a crypto-graphic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites. SSL Certificates bind together:

A domain name, server name or hostname. An organizational identity (i.e. company name) and location.

Objective:

We will install SSL certificate for my.abc.com.bd domain. In that case all requests to http://my.abc.com.bd will be redirected to https://my.abc.com.bd

Scenario & Tested Environment:

Domain is: my.abc.com.bd
OS: Red Hat Enterprise Linux 5
Tomcat: jakarta-tomcat-4.1.24
Used Tool/Command: keytool (keytool is a key and certificate management utility)

Steps:

1. CSR (Certificate Signing Request) Generation
2. Submit CSR to CA (Certification Authority (CA) is an entity that issues digital certificates)
3. Certificate Installation after receiving certificates from CA
4. Apache Jakarta Tomcat Configuration Modification
5. Restart Jakarta Tomcat Service

1. CSR (Certificate Signing Request) Generation:

What is a CSR? A CSR or Certificate Signing Request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

Here is a CSR sample:

-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----

[root@localhost]/opt/jdk1.5.0_21/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123

What is your first and last name?
[Unknown]: my.abc.com.bd
What is the name of your organizational unit?
[Unknown]: IT/Technology
What is the name of your organization?
[Unknown]: ABC Technologies
What is the name of your City or Locality?
[Unknown]: Road # 2 House # 2 Gulshan # 2
What is the name of your State or Province?
[Unknown]: Dhaka
What is the two-letter country code for this unit?
[Unknown]: BD

Is CN=my.abc.com.bd, OU=IT/Technology, O=ABC Technologies, L=Road # 2 House # 2 Gulshan # 2, ST=Dhaka, C=BD correct?

[no]: yes

Enter key password for <mykey>
(RETURN if same as keystore password): abcbd123


This will generate a keystore file named my.abe.com.bd.keystore
Using this file, we will generate CSR file.

[root@localhost]#/opt/jdk1.5.0_21/bin/keytool -certreq -keyalg RSA -file /opt/sslcert/my.abc.com.bd.csr -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123

[root@localhost]# ls
my.abc.com.bd.csr my.abc.com.bd.keystore

2. Submit CSR to CA

Send necessary details to CA.

3. Certificate Installation

You will receive following files from CA:

• AddTrustExternalCARoot.crt
• my_abc_com_bd.crt
• TrustedSecureCertificateAuthority5.crt
• USERTrustRSAAddTrustCA.crt

Execute following commands from the directory containing both CSR & Keystore file. In our case, working directory is: /opt/sslcert/

[root@localhost]#keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -alias TrustedSecureCertificateAuthority5 -file TrustedSecureCertificateAuthority5.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -alias USERTrustRSAAddTrustCA -file USERTrustRSAAddTrustCA.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -alias my.abc.com.bd -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore

4. Jakarta Tomcat Configuration

Open $TOMCAT_HOME/conf/server.xml file. Add below entries:

<!– Define a non-SSL Coyote HTTP/1.1 Connector on port 80 –>
<Connector className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”80? minProcessors=”30? maxProcessors=”600?
enableLookups=”false” redirectPort=”8443?
acceptCount=”100? debug=”0? connectionTimeout=”20000?
useURIValidationHack=”false” disableUploadTimeout=”true” strategy=”ms” tcpNoDelay=”true” />
<!– Note : To disable connection timeouts, set connectionTimeout value to -1 –>
.............
.............
.............
.............
<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector address=”1.2.3.4? className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”8443? minProcessors=”10? maxProcessors=”200?
enableLookups=”true”acceptCount=”100? debug=”0? scheme=”https” secure=”true” connectionTimeout=”20000?useURIValidationHack=”false”disableUploadTimeout=”true”>
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="/opt/sslcert/my.abc.com.bd.keystore" keystorePass="abcbd123" keystoreType="JKS" protocol="TLS" randomFile="/opt/random.pem" rootFile="/opt/root.pem"/>
……
……
……
</Connector>


<Host name=”1.2.3.4? debug=”0? appBase=”<Document root>”
unpackWARs=”true” autoDeploy=”true”>
<Alias>my.abc.com.bd</Alias>
<Context path=”” docBase=”<Document root>” debug=”0?
reloadable=”true” crossContext=”true” />
</Host>
.............
.............

Open <Document Root>/WEB-INF/web.xml file. Add below entries:

<web-app>
.............
.............
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!– auth-constraint goes here if you require authentication –>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
.............
.............
.............
.............
</web-app>

5. Restart Jakarta Tomcat Service

[root@localhost]#sh $TOMCAT_HOME/bin/shutdown.sh
[root@localhost]#sh $TOMCAT_HOME/bin/startup.sh


Check the log file as well:
[root@localhost]#tail -f $TOMCAT_HOME/logs/catalina.out


Cheers :-) !!!

Archive or Delete Old Files

With a single command in Linux, we can archive or delete thousands of files.

Objective: Delete old pdf files more than 60 days old.


mtime
mtime is the file modify time. The mtime gets updated when you modify a file. Whenever you update content of a file or save a file the mtime gets updated.

For instance, "/opt/jakarta-tomcat-4.1.24/temp/" directory contains old pdf files. We want to delete those files which were last modified more than 60 days ago.

find /opt/jakarta-tomcat-4.1.24/temp/*.pdf -mtime +60 -type f -exec rm -f {} \; 


Objective: Archive old pdf files more than 60 days old.

find /opt/jakarta-tomcat-4.1.24/temp/* -name *.pdf -mtime +60 -type f -exec mv -f {} /app/u04/logs/oldpdf/ \;


Objective: Archive all files from one server to another.

Source location: /opt/RadiusCDR/CSV/10.10.0.69/
Destination location: /app/u03/rman_backup/Radius_CSV_Backup/10.10.0.69/
Destination IP: 10.10.10.3


find /opt/RadiusCDR/CSV/10.10.0.69 -name CDRs_2012-12-* -type f -exec cp -f {} root@10.10.10.3:/app/u03/cdr_backup/Radius_CSV_Backup/10.10.0.69/ \;


Cheers!!

Configuring Host Grapher in Windows

What is Host Grapher?

Host Grapher is a very light and effective program to gather Host Statistics like CPU, Memory and Processes. It has been written to be light and fast. One of the changes toward other programs is that instead of the server doing all the work of asking the clients for the information, its the client task to tell the server its own info. There will be clients for Linux, freeBSD , solaris ,Windows and Tru64. There will also a gateway program to include routers. Here is a Screenshot.

How does it work?

First install the server in one machine, install the client on the clients. On unix the client uses the crontab facility , on windows it will be installed as a service. Security has not been an issue yet , so there is a simple general password authentication. Before the records are kept the client has to issue an registration request.

For installing in Windows platform please download Server & Client Software from the site:

http://software.foxlink.org/hostgrapher2/main.html

• Configure the Host Grapher Server

1) After downloading the .zip file, extract it to C:\ (e.g. C :\GrapherServer)

2) Go to C:\GrapherServer\etc

     You have to edit the following two files:

          – apache.txt

          – password.txt

3) apache.txt contains the main data to put apache to work define the Port ServerAdmin Emailand ServerName. Please note that if you are already running a http server on the machine then you can not reuse port 80. Chose another port like 8080.

4) Password.txt contains a simple form text password for client authentication. Put a password for the clients to authenticate.

5) Now change back to c:\GrapherServer and double click on install.bat. The script will install following two services :

     -inetd

-hg2apache

6) If everything worked fine then you should be able to reach the following URL:http://localhost/ or
http://localhost:port/      (port number you have mentioned in apache.txt)

• Configure the Clients

1) Uncompress downloaded files to C:\Grapher2

2) Edit the file C:\grapher2\grapher.conf

3) Save and Exit the file.

4) R un info.bat to find out which network cards you have on your machine.

5) Run install.bat

6) Run register.bat

N.B:

// register.bat -> will reset all information and register the client on the server, this has to be run at least one time.

// upgrade.bat  -> you should run this when you change anything in the config file

// info.bat     -> will give you information about the program.

Cheers!!!

Add New Disk Space to a Virtual Machine in Linux - in VMware

Among many FAQ; very familiar question in VM is how to add new disks. Here are the plain and simple steps to do that:

Objective: Add new disk space in a virtual machine in Linux.

Step 1: Open/Edit virtual machine settings:
Select your virtual machine, and press “Edit virtual machine settings’

Step 2: Add new hardware:
From Hardware section click “Add” > “Next”

Step 3: Select new Hard Disk:
From Hardware type select Hard Disk and click “Next”

Step 4: Create the Disk Type:
Recommended Virtual Disk Type should be SCSI (don’t know why :-P). Select the Disk type from available options:

Step 5: Set Disk Capacity & Options:

Now set the capacity you want to create. One of the nice features of VMWare is that you don’t have to allocate all of the disk space when you create it. So if you create a 20GB disk it won’t take all spaces right away (unless you check the box), the disk will grow as your virtual machine needs it. Lastly, you can split the files into 2GB sizes, while this isn’t necessary, it just makes all the disks much easier to manage and move around. In example we are adding 20GB.

Step 6: Specify VM Disk File:

Step 7: Ensure newly add Disk exists in Hardware Option:

Step 8: Boot & Power On the Virtual Machine.

Step 9: Create new Partition:
Login as root. In Linux the first SCSI drive is sda, the second sdb, the third sdc, etc. since this was the second SCSI drive we added in the VM, the device is known as /dev/sdb

[root@localhost ~]# fdisk /dev/sdb
Press m for help
To create a new partition, press n
This is going to be a primary partition so press p
Partition number is 1
Enter first Cylinder Number:
Enter Last Cylinder number: +20480M (as because our disk size is 20GB)
Press w for write and save the partition table.

Step 10: Format the partition:
Now we have to format the partition with new file system. We’ve decided to use ext3 file system for newly added disk.

[root@localhost ~]# mkfs -t ext3 /dev/sdb1
Above command changes the file system type to ext3 for /dev/sdb1 partition (-t fstype) (man mkfs)

Step 11: Creating Mount Point for new partition:
Create a new directory named app under /
[root@localhost ~]# mkdir -p /app
[root@localhost ~]# mount -t ext3 /dev/sdb1 /app

check whether the partition is properly mounted by running the following command
[root@localhost ~]# df -kh

Step 12: Edit /etc/fstab for permanent entry:
mounting wont be permanent unless you add a /etc/fstab entry
/dev/sdb1 /app ext3 defaults 1 1

Cheers :) !!